Hypervisors Credits: P. Chaganti Xen Virtualization A practical handbook D. Chisnall The definitive guide to Xen Hypervisor G. Kesden Lect. 25 CS 15-440 G. Heiser UNSW/NICTA/OKL Virtualization is a technique of partitioning the resources of a single computing platform into multiple segregated, virtualized, execution environments. Each environment runs independently of the other, thus allowing multiple operating systems to run on the same hardware. The concept of virtualization already present in every-day computing Most modern operating systems contain a simplified system of virtualization; Each running process is able to act as if it is the only thing running. The CPUs and memory are virtualized. Virtualization of the CPU: If a process tries to consume all of the CPU, a modern operating system will preempt it and allow other processes to execute; Virtualization of the memory: a running process typically has its own virtual address space that the operating system maps to physical memory to give the process the illusion that it is the only user of RAM. Each execution environment is called a guest and the computing platform on which they execute is called the host. The software enabling these multiple execution environments is commonly referred to as Hypervisor or Virtual Machine Monitor (VMM). The Hypervisor runs on the host and acts as a bridge between the host and the guests; 1
Mixed OS Environment Multiple VMs can be implemented on a single hardware platform to provide individuals or user groups with their own OS environments Mixed OS Environment Virtualization implies a two-level hierarchical scheduling framework VM1 VM2 VM3 VM4 VM5 VM1 VM2 VM3 VM4 VM5 Linux Red Hat Solaris 10 XP Vista Mac OS Linux Red Hat Solaris 10 XP Vista Mac OS Hypervisor Hypervisor Global Hardware Hardware Figure: G. Kesden Figure: G. Kesden Benefits of Virtualization Virtualization Properties A system VM provides a sandbox that isolates one system environment from other environments A single hardware platform can support multiple operating systems concurrently Multiple Secure Environment Mixed OS Environment Failure Isolation Better System Utilization Virtualization helps isolate the effects of a failure to the VM where the failure occurred A virtualized system can be (dynamically or statically) reconfigured for changing needs Fault Isolation Software Isolation Performance Isolation (accomplished through scheduling and resource allocation) Isolation All VM state can be captured into a file (i.e., you can operate on VM by operating on file cp, rm) Complexity is proportional to virtual HW model and independent of guest software configuration All guest actions go through the virtualizing software which can inspect, modify, and deny operations Security Encapsulation Interposition 1 2 3 Figure: G. Kesden Figure: G. Kesden Methodologies Three main methodologies used for providing virtualization: System Emulation All the hardware resources are emulated. The guest operating system can be run without any modification; It can use the hardware resources through the hardware emulation layer; The VMM executes the CPU instructions that need more privileges than are available in the user space. Methodologies Paravirtualization No hardware emulation. The operating system that runs on a guest needs to be a modified version that is aware of the fact that it is running inside a hypervisor; Lower number of privileged CPU instructions that need to be executed; Higher performance w.r.t emulation, closer to native speed. 2
Methodologies OS Level Virtualization Each guest is isolated and runs in a secure environment. Only multiple instances of guests that run the same operating systems as the host; Close to sandboxes; Low run-time overhead. E.g., FreeBSD Jails, Solaris Zones Types of Hypervisor Gerald J. Popek and Robert P. Goldberg Formal Requirements for Virtualizable Third Generation Architectures, 1974 Type 1: native (bare-metal) hypervisors The Hypervisor runs directly on the host's hardware to control the hardware and to manage guest operating systems. E.g., Xen, VMWare ESXi, Microsoft Hyper-V Type 2: hosted hypervisors These hypervisors run on a conventional operating system just as other computer programs do. E.g., VMWare Workstation, VirtualBox Types of Hypervisor OS OS OS Hypervisor Hardware OS OS OS Hypervisor OS Hardware Trap and Emulate Raise of an exception (trap) when the guest executes a privileged instruction (e.g., accessing a physical resources); The exception handler is used to invoke the hypervisor code. Type-1 (bare-metal) Type-2 (hosted) Figure: G. Heiser Trap and Emulate Popek and Goldberg, 1974 For any conventional third-generation computer, an effective VMM may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions. Trap and Emulate Popek and Goldberg, 1974 Inotherwords It is sufficient that all the instructions that could affect the correct functioning of the VMM (sensitive instructions) always trap and pass control to the VMM. Figure: G. Heiser Figure: G. Heiser 3
Trap and Emulate Most common architectures are not virtualizable according to definition of Popek and Goldberg x86 lots of unvirtualizable features E.g., PUSH of PSW (Processor State Word) is not privileged MIPS mostly virtualizable, but Kernel registers k0,k1 (needed to save/restore state) are useraccessible ARM mostly virtualizable but Some instructions are undefined in user-mode Impure Virtualization Change the Guest OS code replacing sensitive instructions Paravirtualization by trapping code (hypercalls) Binary translation - In-line code emulation Hypercall Virtualization historically used for easier sharing of expensive mainframes. Gone out of fashion in 80 s and resurrected in recent years for improved isolation in modern computing systems. Why virtualization for? License Separation System composed of Linux + proprietary SW (not open-source) VMs can be used to isolate Linux Software-Architecture Abstraction Support for product series: same software running on different hardware; Decoupling from the real hardware. Benefits Time-to-market; Engineering cost. Certification Issues Encapsulation of a safety-critical subsystem that can be certified independently of the other subsystems running on the same platform 4
Security Protection against exploits; E.g., software attacked by UI exploits Automotive Case-Study Proliferation of ECUs: more than doubled in 10 years It is possible to compromise thecoreswfromanattackof the UI SW Virtualization protects this kind of attacks ensuring a separation into different VMs Automotive Case-Study Trend: Integration in fewer, more powerful, ECUs Automotive Case-Study Thanks to virtualization it is possible to re-use a complete legacy ECU software An Overview on What is Xen? Xen is an open-source paravirtualization technology that provides a platform for running multiple operating systems in parallel on one physical hardware resource Originally developed in 2003 at the University of Cambridge Computer Laboratory 5
Xen refers to each virtual machine that runs on a system as a domain. When Xen boots up, it first starts the hypervisor, which is responsible for starting a domain named Domain0 (dom0) in which a specific host operating system runs. Domain0 is a privileged domain that can access the hardware resources and can manage all the other domain (e.g., create, destroy, save, restore, etc.) An Unprivileged Domain (domu) guest is more restricted. Typically not allowed to perform hypercalls that directly access to the hardware. Not able to manage other domains or the hypervisor configuration Xen is based on para-virtualization Requires modification of the guest OS Insertion of hypercalls to replace privileged instructions; Time virtualization Hardware-assisted virtualization Newer processors have a set of instructions that makes virtualization easier x86: Intel VT-x and AMD Pacifica (AMD-V) The CPU provides traps for certain privileged instructions; Enable Guest OSes to be run without paravirtualization modifications (e.g., old OSes like Windows XP) 6
Domain Xen Hypercall (synchronous) Xen Domain Asynchronous Event Mechanism (AEM) that replaces device interrupts The Xen hypervisor is the basic abstraction layer of software that sits directly on the hardware below any operating systems. It is responsible for CPU scheduling (VCPU to CPU assignment) and memory partitioning of the various virtual machines running on the hardware device. dom0 domu domu Hypercall Xen AEM Xen currently supports 4 VCPU schedulers Credit Credit2 Proportional Fair Share (e.g.,weighted Round Robin) Xen does not provide any device driver. It has no direct knowledge of networking, external storage devices, video, or any other common I/O functions found on a computing system. RTDS ARINC 653 Global EDF with Reservation Servers Fixed Time Slices How does the I/O work in Xen? I/O in Xen dom0 is a privileged domain that can access all the hardware in the system TheOSrunningondom0hasthedevicedrivers and performs I/O operations on behalf of unprivileged guest domains (domu); Shared memory is used for the communication between a domu and dom0 7
Thank you! Alessandro Biondi alessandro.biondi@sssup.it 8